File name:	_2368e264cafd9c6699c2ef958e873926b7f7575e52318c705127a166e4ab53dc.exe
Full analysis:	https://app.any.run/tasks/13458b17-0471-4be8-a756-7c480ab641ad
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 07, 2026, 21:10:38
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	amadey botnet stealer golang
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	8B3C9E5BDD95E9229BC55546E447F864
SHA1:	E5F3933D87FF5932469EEC207F01660083A57CC4
SHA256:	2368E264CAFD9C6699C2EF958E873926B7F7575E52318C705127A166E4AB53DC
SSDEEP:	49152:Wf16I4RmNwut2UN6eDHEv5esRC7DOnQTeWzWRttBAZ7bAbwK4ASAKs4dKkwkVseT:3I4RMwu6HflgR8Rmd4NO3bCsk9c

.exe	\|	Win32 Executable MS Visual C++ (generic) (41)
.exe	\|	Win64 Executable (generic) (36.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.6)
.exe	\|	Win32 Executable (generic) (5.9)
.exe	\|	Win16/32 Executable Delphi generic (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	3
CodeSize:	945664
InitializedDataSize:	16384
UninitializedDataSize:	-
EntryPoint:	0x66fc0
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows GUI

PID	Process	Filename		Type
7780	_2368e264cafd9c6699c2ef958e873926b7f7575e52318c705127a166e4ab53dc.exe	C:\Windows\Tasks\Bwale.job		binary
		MD5:A5E09635C6BF78D7FE5A1B0BC498B642	SHA256:7C1D2053A782EB8F17F88894BBEFB5BF80CE2103E663DCD9F9B2910BD87DEF06
7780	_2368e264cafd9c6699c2ef958e873926b7f7575e52318c705127a166e4ab53dc.exe	C:\Users\admin\AppData\Local\Temp\adb7f46c0c\Bwale.exe		executable
		MD5:8B3C9E5BDD95E9229BC55546E447F864	SHA256:2368E264CAFD9C6699C2EF958E873926B7F7575E52318C705127A166E4AB53DC

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5276	MoUsoCoreWorker.exe	GET	304	40.127.240.158:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	US	—	—	whitelisted
6628	SIHClient.exe	GET	304	135.232.92.137:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	whitelisted
7784	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
7784	svchost.exe	GET	200	23.216.77.42:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
7448	Bwale.exe	POST	200	91.92.242.236:80	http://91.92.242.236/oPvjr94jfe/index.php	SC	text	8 b	malicious
7784	svchost.exe	GET	200	40.127.240.158:443	https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=0&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2	US	text	5.80 Kb	whitelisted
7448	Bwale.exe	POST	200	91.92.242.236:80	http://91.92.242.236/oPvjr94jfe/index.php	SC	binary	1 b	malicious
5316	svchost.exe	POST	400	20.190.159.129:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	204 b	whitelisted
5316	svchost.exe	POST	200	20.190.159.129:443	https://login.live.com/RST2.srf	US	xml	1.24 Kb	whitelisted
5316	svchost.exe	POST	400	20.190.159.129:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	204 b	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
activation-v2.sls.microsoft.com	48.192.1.64	whitelisted
google.com	142.251.110.138 142.251.110.139 142.251.110.102 142.251.110.113 142.251.110.100 142.251.110.101	whitelisted
crl.microsoft.com	23.216.77.42 23.216.77.25 23.216.77.28 23.216.77.36 23.216.77.20 23.216.77.6 23.216.77.30 23.216.77.22	whitelisted
www.microsoft.com	23.52.181.212	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
login.live.com	20.190.159.129 20.190.159.64 20.190.159.75 40.126.31.130 40.126.31.67 40.126.31.128 20.190.159.128 20.190.159.73	whitelisted
slscr.update.microsoft.com	135.232.92.137	whitelisted
fe3cr.delivery.mp.microsoft.com	74.178.76.54	whitelisted
self.events.data.microsoft.com	20.189.173.11	whitelisted

PID	Process	Class	Message
7448	Bwale.exe	Misc activity	INFO [ANY.RUN] Connection to IP from commonly abused ASN (AS214943 RAILNET)
7448	Bwale.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
7448	Bwale.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 14
7448	Bwale.exe	Malware Command and Control Activity Detected	ET MALWARE Amadey CnC Response

General Info

_2368e264cafd9c6699c2ef958e873926b7f7575e52318c705127a166e4ab53dc.exe

8B3C9E5BDD95E9229BC55546E447F864

E5F3933D87FF5932469EEC207F01660083A57CC4

2368E264CAFD9C6699C2EF958E873926B7F7575E52318C705127A166E4AB53DC

49152:Wf16I4RmNwut2UN6eDHEv5esRC7DOnQTeWzWRttBAZ7bAbwK4ASAKs4dKkwkVseT:3I4RMwu6HflgR8Rmd4NO3bCsk9c

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

AMADEY has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Starts itself from another location

Contacting a server suspected of hosting an CnC

The process executes via Task Scheduler

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

Process checks computer location settings

Reads security settings of Internet Explorer

Application based on Golang

There is functionality for taking screenshot (YARA)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings